Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hsharma
Staff
Staff

Created on ‎09-04-2023 10:02 PM Edited on ‎09-05-2023 08:23 AM By Staff

Article Id 271862

Technical Tip: FortiGate is not able to send logs to FortiAnalyzer with FIPS -CC mode enabled in version 7.2.5

Description

This article discusses when FortiGate is not able to send logs to FortiAnalyzer with FIPS -CC mode enabled in version 7.2.5.
Scope FortiGate v7.2.5.
Solution

For versions 7.2.5 and 7.4.0, FIPS FortiGate will do the FortiAnalyzer certificate check. The following error will appear in OFTP debugs on FortiGate:


SSL_info_callback:320] SSL Alert read: fatal bad certificate
SSL_info_callback:330] error
SSL_info_callback:349] Error error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

There are some configuration changes required on both FortiGate and FortiAnalyzer:

 

  1. A custom certificate needs to be created on both FortiGate and FortiAnalyzer. Certificates can be created by generating CSRs on each unit and sending them to the CA for signing.
  2. These certificates should be signed by the same CA
  3. Upload the CA certificate under the FortiAnalyzer and FortiGate CA certificate sections.
  4. FortiGate needs to disable the certificate verification with 'set certificate-verification disable'.

Here is the requirement for the certificate: In v7.2.5 the OFTP certificate check has changed. FortiAnalyzer and FIPS-CC mode FortiGate each need to have a certificate signed by the same CA.

 

CA cert requirement:

  • Basic Constraints shall be present and the value shall be 'true'.
  •  Key Usage shall contain the cRLSign bit.
  • FortiAnalyzer cert is not revoked.
  • FortiAnalyzercert requirement:
    FortiGate expects that the subject in FortiAnalyzer OFTP server cert matches the identity that is specified by 'set server <ip/hostname>' in the 'config log fortianalyzer setting' section. (example: set server faz.domain.com)
    CN and SAN should match the IP/DNS of the CN (example: faz.domain.com).
    Extended key usage field should not be missing.
    The validity of the cert.

 

FortiGate cert requirement:

  •  FIPS-CC FortiGate needs to have a certificate signed by the same CA.
  • Normal mode FortiGate will lose connectivity to FortiAnalyzer, therefore they also need to have the certificate installed. This can be a wildcard certificate from the same CA

 

 Here is configuration example:

 

config log fortianalyzer setting

    set status enable

    set server "faz.domain.com"

    set certificate-verification disable

    set serial "FAZ-VM0000xxxxxx"

    set certificate "FIPS-FGT-Cert"

    set upload-option realtime

 

  config system certificate oftp

    set mode local

    set local "FAZ-Cert"

end

 

After changing the OFTP setting on FortiAnalyzer, it is necessary to restart the daemon using the command 'diag test application oftpd 99'.

If it still does not work, try to change the FortiGate certificate to a wildcard certificate.
714
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.